Triple-des with openssl engine and ncypher hardware.

Hi,   I'm trying to integrate ncipher hardware (nshield) with openssl.I want to implement triple-des with internal keys. I've seen that we can access the "chil" engine with the new openssl engine. How can i use it to encrypt data with triple-des algorithm and keys stored in hardware?   Is it

Error verifying a pkcs7

Hi all, I have an error when I've tryed to verify a PKCS#7 using openssl smime. openssl smime -inform PEM -in firma.p7 -verify -content firma1.txt - certfile crt.pem -CAfile cacert.pem And I get this error: ... firma1.txt content ... Verification failure 21381:error:21071065:PKCS7 routines:PKCS7

Error signing

Hi all, I'm trying to sign a file with a key, but I get this error: openssl rsautl -sign -in texto.txt -inkey key.pem -out firma.p7 Enter PEM pass phrase: RSA operation error 9183:error:0406C06E:rsa routines:RSA_padding_add_PKCS1_type_1:data too large for key size:rsa_pk1.c:73: Howe can I solve

Re: Hard-wired CA-cert in source code?

On Wed, 20 Nov 2002 11:29:26 +0100 (MET), Andreas Jusek wrote: >Hello, >I am developing an SSL-secured client/server application. In one special >case, the client machine isn't trusted to be secure. Therefore I can not >put a CA's certificate into the filesystem, because otherwise an attacker >co

Re: Symmetric key renegotiation

There is a standard of the Aes algorithm, there should be statistical information that you are asking about... Regards Adriano.. El mié, 20-11-2002 a las 14:19, Vishal Mittal escribió: > > I am looking for some statistical figures as to what is considered safe, i.e. how >often should you renego

Re: Symmetric key renegotiation

I am looking for some statistical figures as to what is considered safe, i.e. how often should you renegotiate the key if you are using AES 128 bit encryption (bidirectional). Thanks -VM  Adriano Devillaine <[EMAIL PROTECTED]> wrote: That's depend on the traffic of the points that are using the sym

Re: IMPORTANT: Please try the 0.9.6 snapshots

Richard Levitte - VMS Whacker wrote: Because of lack of time, and because I'm not entirely sure we've gotten all the reported bugs, I'm moving the release of 0.9.6h until thursday night (swedish time). Please test the snapshots for the 0.9.6 branch until then, on as many platforms as you have av

OCSP and new ASN.1 routines

As per my previous mail, I am writing code that, given a cert, looks to see if it has an embedded OCSP Responder, in order to try and validate the cert with the given Responder.   So, I am writing a routine that, given an X509 *cert, looks for the OCSP Responder (all error checking omitted f

Re: I give up

Hi James, I guess IIS recognizes certificates with .cert as file extension. Try naming the certificate you get out of OPENssl as .cert instead of .pem. One more thing.. edit the certificate given by OPENssl and see if it has text in it. If I remember well, openssl certificates have both text and en

Re: Hard-wired CA-cert in source code?

Richard Levitte - VMS Whacker wrote: In message <[EMAIL PROTECTED]> on Wed, 20 Nov 2002 11:29:26 +0100 (MET), Andreas Jusek <[EMAIL PROTECTED]> said: a.jusek> Since the connection is always established to the same a.jusek> server, which is certified by an internal CA, I'm thinking a.jusek> about

Re: Wrong values copied to authorityKeyIdentifier?

On Wed, 20 Nov 2002, Gerd Schering wrote: > Erwann ABALEA wrote: > > > To explain it easily, the authorityKeyIdentifier of servercert is here to > > find the right certificate for serverca. The certificate for serverca can > > be identified by the issuer name of serverca (that is, rootca), and the

Re: Wrong values copied to authorityKeyIdentifier?

On Wed, 20 Nov 2002, Richard Levitte - VMS Whacker wrote: > In message <[EMAIL PROTECTED]> on >Wed, 20 Nov 2002 13:51:58 +0100 (CET), Erwann ABALEA <[EMAIL PROTECTED]> said: > > eabalea> To explain it easily, the authorityKeyIdentifier of servercert is here to > eabalea> find the right certificat

Re: Symmetric key renegotiation

That's depend on the traffic of the points that are using the symmetric encryptation, you can put delimitation with the time, or with the bytes... are you making unidirection or bidirectional encriptation? (maybe VPN ore only SSL ore TTL?) Regards... Adriano. El mar, 19-11-2002 a las 20:13, Visha

Re: OpenSSL won't build under MinGW 2.0.0-3

Jon Hedlund wrote: I just installed the latest 2.0.0-3 version of MinGW and tried to build OpenSSL versions 0.9.6g and 0.9.7-beta4. The build process in both cases compiles for about 10 minutes and then complains about not finding gmkdir and quits. I found a gmkdir binary for Win32 and put it

The openssl s_time command

Hi, I have been trying to get the openssl s_time command to measure the SSL performance despite the non-existing documentation and need some help. All tests from "make test" complete successfully. To set up the test client, I have copied our root cert file from my Apache server to the client si

Re: Wrong values copied to authorityKeyIdentifier?

In message <[EMAIL PROTECTED]> on Wed, 20 Nov 2002 13:51:58 +0100 (CET), Erwann ABALEA <[EMAIL PROTECTED]> said: eabalea> On Wed, 20 Nov 2002, Gerd Schering wrote: eabalea> eabalea> > I have the following CA/cert hierachy: eabalea> > rootca -> serverca -> servercert eabalea> > eabalea> > when I

Re: Hard-wired CA-cert in source code?

In message <[EMAIL PROTECTED]> on Wed, 20 Nov 2002 11:29:26 +0100 (MET), Andreas Jusek <[EMAIL PROTECTED]> said: a.jusek> Since the connection is always established to the same a.jusek> server, which is certified by an internal CA, I'm thinking a.jusek> about hard wiring the CA's cert into the cl

Re: Wrong values copied to authorityKeyIdentifier?

Thanks! Erwann ABALEA wrote: On Wed, 20 Nov 2002, Gerd Schering wrote: I have the following CA/cert hierachy: rootca -> serverca -> servercert when I look at the authorityKeyIdentifier in the servercert I see: keyid: O.K. serial: O.K. but DirName is NOT the DirName of the serverca but the on

Re: OpenSSL does not work with IE Win 98/SGC certificates

Better fix your browser - there is a tiny patch which allows MS IE to work with 128 bit strong encryption. --- Konstantin Kladko <[EMAIL PROTECTED]> wrote: > Folks - > > We are trying to use OpenSSL with an RSA signed SGC > certificate and Win > 98 40-bit IE browser, > but it looks like there i

Re: Wrong values copied to authorityKeyIdentifier?

On Wed, 20 Nov 2002, Gerd Schering wrote: > I have the following CA/cert hierachy: > rootca -> serverca -> servercert > > when I look at the authorityKeyIdentifier in the servercert I see: > keyid: O.K. > serial: O.K. > but DirName is NOT the DirName of the serverca but the one of the rootca! > >

RE: give me some advice about CFB

If you are writing an application using CAST then you don't need to bother about the implementation of the algorithm.You pass the encrypted buffer, mechanism(CAST) and mode(CFB) to the decrypt function. If you are implementing the algorithm then you definitely need to take care of IV that is initi

Wrong values copied to authorityKeyIdentifier?

Hi, I am using openssl-0.9.7-stable-SNAP-20021022, so if the problem has been tackled in a later snap, just let me know. I encountered the following problem: in all config files I use, I set the extension authorityKeyIdentifier = keyid,issuer:always I have the following CA/cert hierachy: rootca

give me some advice about CFB

/* The data is encrypted in CFB mode, with a CFB shift size equal to the cipher's block size. The Initial Vector (IV) is specified as all zeros. Instead of using an IV, OpenPGP prefixes a 10-octet string to the data before it is encrypted. The first eight octets are random, and the 9

RE: How to create DER format cerificates (chains) & usage

Hi, Using OpenSSL command, you can convert PEM format to DER. Normally only der format certificates chains are accepted (p7c). If you want the same functionality in your application, you can use the library to convert from PEM to DER or vice versa. Regards, Murali -Original Message- From

Re: [ANNOUNCE] OpenSSL 0.9.7 beta 4 released

On Tue, Nov 19, 2002 at 02:41:11PM -0500, Leon Finker wrote: > > With 0.9.7 beta 4 cipher list: > openssl ciphers "HIGH:@STRENGTH" > shows ADH-AES256-SHA as first one > > Is ADH normal for HIGH ciphers and sorted by strength? Yes. ADH is part of the cipher list as long as not disabled via !ADH (

Re: I give up

Fixed it, apparently the cert was in PEM format by default and IIS required (BDER format. I have no idea what this means but it fixed it ;) (B (B-- (BJames Smith ([EMAIL PROTECTED] (B (B- Original Message - (BFrom: "James Smith" <[EMAIL PROTECTED]> (BTo: <[EMAIL PROTECTED]> (BSent

How to create DER format cerificates (chains) & usage

Hi, I worked with PEM format certifcate chain files ... working fine... but when tried to work with the DER format certificates & keys... At client side the validation of certificates chains.. for DER format is failing are there any pointers ... that .. How to create the DERfor

Hard-wired CA-cert in source code?

Hello, I am developing an SSL-secured client/server application. In one special case, the client machine isn't trusted to be secure. Therefore I can not put a CA's certificate into the filesystem, because otherwise an attacker could exchange it and redirect the next connection to the server to his

Re: [ANNOUNCE] OpenSSL 0.9.7 beta 4 released

Hello, With 0.9.7 beta 4 cipher list: openssl ciphers "HIGH:@STRENGTH" shows ADH-AES256-SHA as first one Is ADH normal for HIGH ciphers and sorted by strength? Thanx for any input - Original Message - From: "Richard Levitte - VMS Whacker" Sent: Tuesday, November 19, 2002 5:12 AM Subject

Re: [ANNOUNCE] OpenSSL 0.9.7 beta 4 released

Hi, When trying using sessions I get: "1424:error:140920C5:SSL routines:SSL3_GET_SERVER_HELLO:old session cipher not re turned:.\ssl\s3_clnt.c:705:" I get this with s_server/s_client also when specifying -reconnect. __ OpenSSL Pr

Re: X509 memory leak (P)

In message <1037725127.635.56.camel@fearless> on 19 Nov 2002 11:58:47 -0500, Tobias DiPasquale <[EMAIL PROTECTED]> said: toby> I am writing some code that has to do some crypto, and I have come toby> across a memory leak in OpenSSL resulting from the (possible mis-)use of toby> the following code